ddidderr/softlan-vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(gateway): require announced MAC before LAN injection

Browse Source 
The relay already enforces client source MAC identity before forwarding, but
this gateway bridge could still write any safety-clean relayed frame to
AF_PACKET. That left the final physical-LAN boundary depending entirely on the
relay forwarding path.

Keep a lifecycle-seeded remote client table in the gateway bridge and reject
relay frames whose datagram peer id is unknown or whose Ethernet source MAC does
not match the announced client MAC. CAM refresh now uses the same announced
table instead of learning source MACs from relay traffic.

This is conservative: if data arrives before the lifecycle event, the gateway
drops that frame with UnauthorizedSourceMac. Later packets proceed after the
control event is processed.

Test Plan:
- cargo test -p lanparty-gateway connects_to_relay_control_stream_as_gateway
- cargo test -p lanparty-gateway
- cargo test --workspace
- cargo clippy --workspace --all-targets -- -D warnings
- cargo fmt --check
- git diff --check

Refs: PLAN.md safety filters; TESTING.md MVP acceptance guide
This commit is contained in:
ddidderr
2026-05-22 05:38:35 +02:00
parent 234bece265
commit bd6479e4b5
3 changed files with 80 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+5 -4
View File
@@ -184,7 +184,8 @@ never fragments Ethernet frames; LAN frames with invalid source MACs, L2
control-plane traffic, jumbo frames, or encoded datagrams exceeding the
negotiated QUIC budget are counted, dropped, and logged locally instead of
stopping the bridge or consuming relay bandwidth. Remote frames received from
the relay are safety-checked again before LAN injection, so invalid-source,
the relay are safety-checked again before LAN injection and must use the
announced virtual MAC for their source peer, so invalid-source, forged-source,
L2 control-plane, remote VLAN, DHCP-server, IPv6 Router Advertisement, IPv6
fragment, and jumbo frames cannot cross the gateway's final physical-LAN
boundary even if they reached the gateway over QUIC.
@@ -192,9 +193,9 @@ boundary even if they reached the gateway over QUIC.
The gateway rejects Linux interfaces that sysfs identifies as Wi-Fi, and rejects
wired interfaces whose sysfs carrier state reports no link; managed wireless
NICs are not supported for the physical LAN bridge.
It tracks remote-client source MACs seen from relay traffic and periodically
emits small CAM refresh frames so the physical switch keeps those MACs
associated with the gateway port. Gateway
It tracks remote-client MACs from relay lifecycle events and periodically emits
small CAM refresh frames so the physical switch keeps those MACs associated
with the gateway port. Gateway
frame logs include direction, peer id when present, MACs, ethertype/length,
frame length, action, and drop reason. The gateway also tracks frame/datagram
counters and periodically sends stats snapshots to the relay. Malformed or runt